Detectionmediumtest

Sysmon Configuration Change

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Jan 128ac03a65-6c84-4116-acad-dc1558ff7a77windows

Log Source

Windowssysmon

ProductWindows← raw: windows

Servicesysmon← raw: sysmon

Detection Logic

detection:
    selection:
        EventID: 16
    # To avoid FP just add
    # filter:
    #      ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'
    # condition: selection and not filter
    condition: selection

False Positives

Legitimate administrative action

References

Resolving title…

learn.microsoft.com

Testing & Validation

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Rule Metadata

Rule ID

8ac03a65-6c84-4116-acad-dc1558ff7a77

Status

test

Level

medium

Type

Detection

Created

Wed Jan 12

Author

François Hubaut

Path

rules/windows/sysmon/sysmon_config_modification.yml

Raw Tags

attack.defense-evasion

View on GitHub